The current round of desperation emails is a knee-jerk, bandwagon response from a worried industry that’s suddenly hit a deadline

If this is their sole gameplan, then their future is going to get very bad indeed

GDPR is a juggernaut of a thing, and it isn’t just about getting consent to use people’s email addresses (which, by the way, companies should have obtained in the first place, meaning a lot of those desperation emails are actually unnecessary…)

But more importantly: if you lose certain kinds of data, you have to inform your customers. Oh shit.

So you write them a really vague letter, with a few lines about a “data mishandling incident”, and hope they throw it in the bin

It won’t work, and we know that, because in the US they already have this “mandatory disclosure regime”. And when people get those vague letters, they send them to this guy:

That’s Brian Krebs, a security researcher and journalist who’s played a major part in breaking data breach stories such as TK Maxx, Ashley Madison, etc., partly thanks to tip-offs from those customer letters.

The Krebs whirlwind is about to hit Europe, and Britain’s data businesses are right in the storm-line

GDPR also contains a “lift and shift” aspect: the regulations envision that I should be able to take all of my data back from an organisation, and give it to a different outfit

Do organisations even know where my data is stored? Including all the back-ups? Do they know who they’ve shared it with over the years? How are they going to give it all back to me, and how will they delete their copies?

And how will this affect businesses like Facebook and Spotify, that have made millions from locking us in, encouraging us to gather our data in one place and making it really hard to pull the data out?

The headlines will die down after today… but GDPR’s consequences will be felt for years to come.